EHR modernization effort lacks cyber performance measures, GAO finds

Source Domain: fedscoop.com

The Federal Electronic Health Record Modernization office, in charge of providing direction and oversight for federal health records across four agencies, needs to boost its interagency collaboration on cybersecurity and privacy protection, the Government Accountability Office said in a report published Tuesday.

After finding the office lacked interagency collaboration goal performance measures for the past two fiscal years, the report said that Defense Department and Veterans Affairs Department leadership should “ensure that the FEHRM’s efforts to coordinate cybersecurity and privacy protection are fully meeting leading interagency collaboration practices.”

“Without clear goals and outcomes, the FEHRM has limited insight into the specific resources, skills, or time needed to address any shared cybersecurity responsibilities,” the report said. “Ensuring accountability relies on monitoring, assessing, and communicating progress toward the short- and long-term outcomes by using performance measures.”

The report also said FEHRM has not fully articulated specific short- or long-term goals or intended outcomes related to the cybersecurity of the federal EHR or the privacy of health data within it. As of January, goals for fiscal 2026 were “still under development.”

“As a result, the FEHRM may not have critical information needed to assess and communicate progress and may be at risk of failing to achieve shared cybersecurity responsibilities,” it said.

But not everyone agrees. The DOD did not concur with the draft GAO report sent in March, and the VA neither agreed nor disagreed, saying it has taken “essential” first steps.

However, the VA agreed that DOD has the primary responsibility of ensuring the cybersecurity of EHRs. It said there must be concurrence to implement the recommendations to both agencies to define common goals, outcomes, and performance measures, as well as monitor, assess and communicate…

Source